20 November 18
Breaking News

GDPR & Data Protection Policy

Document Description

This document outlines our legal requirements under the General Data Protection Regulations and the processes for how Total Awareness Promotions (TAP) meets them. Note: GDPR comes into force on 28 May 2018 the current Data Protection Act 2000 will continue to apply.

Implementation and Quality Assurance

Implementation is immediate and this Policy shall stay in force until any alterations are formally agreed.

The Policy will be reviewed every two years by the Board of Trustees, sooner if legislation, best practice or other circumstances indicate this is necessary.

All aspects of this Policy shall be open to review at any time. If you have any comments or suggestions on the content of this policy please contact Ben Doughty Ben@TAPevents.org.uk or write to Ben Doughty, 37 Vegal Crescent, Halifax, and HX35PA.

Introduction

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the European Council and the European Commission intend to strengthen and unify data protection for individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The primary objectives of the GDPR are to give citizens back control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. When the GDPR takes affect it will replace the data protection directive (officially Directive 95/46/EC) from 1995. The regulation was adopted on 27 April 2016 and applies from 25 May 2018 after a two-year transition period.

The following guidance is not a definitive statement on the Regulations, but seeks to interpret relevant points where they affect TAP.

The Regulations cover both written and computerised information and the individual’s right to see such records.

It is important to note that the Regulations also cover records relating to staff and volunteers.

All TAP staff are required to follow this Data Protection Policy at all times.

The board of Trustees has overall responsibility for data protection TAP but each individual processing data is acting on the controller’s behalf and therefore has a legal obligation to adhere to the Regulations.

Definitions

Processing of information – how information is held and managed.
Information Commissioner – formerly known as the Data Protection Commissioner.
Notification – formerly known as Registration.
Data Subject – used to denote an individual about whom data is held.
Data Controller – used to denote the entity with overall responsibility for data collection and management. Age UK Exeter is the Data Controller for the purposes of the Act.
Data Processor – an individual handling or processing data
Personal data – any information which enables a person to be identified
Special categories of personal data – information under the Regulations which requires the individual’s explicit consent for it to be held by the Charity.

Data Protection Principles

As data controller TAP is required to comply with the principles of good information handling.

These principles require the Data Controller to:

1. Process personal data fairly, lawfully and in a transparent manner.
2. Obtain personal data only for one or more specified and lawful purposes and to ensure that such data is not processed in a manner that is incompatible with the purpose or purposes for which it was obtained.
3. Ensure that personal data is adequate, relevant and not excessive for the purpose or purposes for which it is held.
4. Ensure that personal data is accurate and, where necessary, kept up-to-date.
5. Ensure that personal data is not kept for any longer than is necessary for the purpose for which it was obtained.
6. Ensure that personal data is kept secure.
7. Ensure that personal data is not transferred to a country outside the European Economic Area unless the country to which it is sent ensures an adequate level of protection for the rights (in relation to the information) of the individuals to whom the personal data relates.

Genuine Interest

TAP will retain details of customers on invoices and electronically on our accounts. Contact details will also be stored in Web Mail address books and on emails sent to us.

Access to these address books will only be accessible by authorised members. The information stored will not be given to any other third party.

The information stored may be used for:
• Contact in relation to an event or booking
• To evidence income and expenditure in line with charily commission guidelines.
• To discuss future bookings / events

Consent

TAP must record service users’ explicit consent to storing certain information (known as ‘personal data’ or ‘special categories of personal data’) on file.

For the purposes of the Regulations, personal and special categories of personal data covers information relating to:

1. The racial or ethnic origin of the Data Subject.
2. His/her political opinions.
3. His/her religious beliefs or other beliefs of a similar nature.
4. Whether he/she is a member of a trade union.
5. His/her physical or mental health or condition.
6. His/her sexual life.
7. The commission or alleged commission by him/her of any offence
8. Online identifiers such as an IP address
9. Name and contact details
10. Genetic and/or biometric data which can be used to identify an individual

Special categories of personal information collected by TAP will, in the main, relate to Our members and is retained for insurance and DBS purposes.

Consent is not required to store information that is not classed as special category of personal data as long as only accurate data that is necessary for a service to be provided is recorded.

As a general rule TAP will always seek consent where personal or special categories of personal information is to be held.

It should also be noted that where it is not reasonable to obtain consent at the time data is first recorded and the case remains open, retrospective consent should be sought at the earliest appropriate opportunity.

Obtaining Consent

Consent may be obtained in a number of ways depending on the nature of the contact, and consent must be recorded on or maintained within records:

• Membership forms
• Consent when messaging over the website
• Consent after email contact

E-mail

Email footers and contact through the website will contain a disclaimer directing all persons contacting us to our privacy statement. This contains information on how to opt out of us retaining information.

Consent obtained for one purpose cannot automatically be applied to all uses e.g. where consent has been obtained from a service user in relation to information needed for the provision of that service, separate consent would be required if, for example, direct marketing.

Preliminary verbal consent should be sought at point of initial contact as personal and/or special categories of personal data will need to be recorded in an email.

Photographs and Video

Photos and videos are taken at our public events. Such media could be used for, but not limited to, publicity material, press releases, social media, and website.

A notice shall be displayed at all events explaining how photos could be used. This notice will also inform how a person can request a photos removal. This will be re-enforced with an audio announcement/warning played throughout an event.

Individuals have a right to withdraw consent at any time

Ensuring the Security of Personal Information

Unlawful disclosure of personal information

1. It is an offence to disclose personal information ‘knowingly and recklessly’ to third parties.

2. It is a condition of membership that all members for whom we hold personal details sign a consent form allowing us to hold such information.

3. It is a condition booking that all customers/service users for whom we hold personal details sign a consent form allowing us to hold such information.

4. A subject’s individual consent to share information should always be checked before disclosing personal information to another agency.

5. Where such consent does not exist information may only be disclosed if it is in connection with criminal proceedings or in order to prevent substantial risk to the individual concerned.

6. Personal information should only be communicated within TAP’s staff and volunteer team on a strict need to know basis.

Use of Files, Books and Paper Records

In order to prevent unauthorised access or accidental loss or damage to personal information, it is important that care is taken to protect personal data. Paper records should be kept in locked cabinets/drawers overnight and care should be taken that personal and special categories of personal information is not left unattended and in clear view during the working the day. If your work involves you having personal / and/or special categories of personal data at home or in your car, the same care needs to be taken.

Disposal of Scrap Paper, Printing or Photocopying Overruns

Be aware that names/addresses/phone numbers and other information written on scrap paper are also considered to be confidential. Please do not keep or use any scrap paper that contains personal information but ensure that it is shredded.

If you are transferring papers from your home, or your client’s home, to the office for shredding this should be done as soon as possible and not left in a car for a period of time. When transporting documents they should be carried out of sight in the boot of your car.

Computers

TAP has a number of computing devices.

TAP LAPTOP – Ben Doughty – Encrypted and password protected – contains all TAP documentation

TAP Tablets x 2 – Ben Doughty & Lyndon Hainsworth – Contains access to webmail. Android encrypted, password protected and password protected access to webmail

TAP Net book – Password protected – no personal information contains only audio files

External Hard drives x 1 & USB drive x 3 – Encrypted and password protected

Webmail – Email is hosted by Leegething.com. Email access is password protected and only available via logging in on a user profile. No auto forwards are live on any account.

Firewalls and virus protection to be employed at all times to reduce the possibility of hackers accessing our system and thereby obtaining access to confidential records.

Documents should only be stored on the TAP lap top with an encrypted external hard drive Backup stored securely at the address of one of the Trustees.

Where computers or other mobile devices are taken for use off the premises the device must be encrypted and password protected.

Cloud Computing/Webmail

When commissioning systems, TAP will satisfy themselves as to the compliance of data protection principles and robustness of the cloud based/Web providers.

Privacy Statements

Any documentation which gathers personal and/or special categories of personal data should contain the following Privacy Statement information:

• Explain who we are
• What we will do with their data
• Who we will share it with
• Consent for marketing notice
• How long we will keep it for
• That their data will be treated securely
• How to opt out
• Where they can find a copy of the full notice

Personnel Records

The Regulations apply equally to volunteer and staff records. TAP may at times record special categories of personal data with the volunteer’s consent.

For volunteers it may be necessary for TAP to apply to the Disclosure & Barring Service to request a disclosure of spent and unspent convictions, as well as cautions, reprimands and final warnings held on the police national computer. Any information obtained will be dealt with under the strict terms of the DBS Code. Access to the disclosure reports is limited to the Trustees.

Confidentiality

When working from home, or from some other off-site location, all data protection and confidentiality principles still apply. All computer data, e.g. documents and programmes related to work for TAP should not be stored on a personal computer. If documents need to be worked on another computer they should be saved onto a USB drive which should encrypted and password protected.

Workstations in areas accessible to the public, e.g. At an event, should operate a clear desk practice so that any paperwork, including paper diaries, containing personal and/or special categories of personal data is not left out where passers-by could see it.

When sending emails to outside organisations, e.g. To event organisers, every effort should be made to keep the recipients information private. If a group email is being sent it is best practice to BCC all recipients.

Any paperwork should be treated as confidential and kept securely. Documents should not be kept in open view (e.g. on a desktop) but kept in a file in a drawer or filing cabinet as examples, the optimum being a locked cabinet but safely out of sight is a minimum requirement.

When carrying paper files or documents they should be in a locked briefcase or in a folder or bag which can be securely closed or zipped up.

Retention of Records

Paper records should be retained for the following periods at the end of which they should be shredded:

• Client records – 5 years after ceasing to be a client.
• Unsuccessful staff application forms – 3 months after vacancy closing date.
• Volunteer records – 5 years after ceasing to be a volunteer.
• Timesheets and other financial documents – 5 years.
• Employer’s liability insurance – 10 years.
• Other documentation, e.g. Email enquiries, should be destroyed as soon as it is no longer needed for the task in hand and in any case within 12 months.
• Email address books and Inboxes will be weeded every year.

What to Do If There Is a Breach

If you discover, or suspect, a data protection breach you should report this to a trustee The trustees should be informed of the breach, action taken and outcomes to determine whether it needs to be reported to the Information Commissioner.

Any deliberate or reckless breach of this Data Protection Policy by any volunteer may result in disciplinary action which may result in dismissal.

The Rights of an Individual

Under the Regulations an individual has the following rights with regard to those who are processing his/her data:

• Personal and special categories of personal data cannot be held without the individual’s consent

• Data cannot be used for the purposes of direct marketing of any goods or services if the Data Subject has declined their consent to do so.

• Individuals have a right to have their data erased and to prevent processing in specific circumstances:

o Where data is no longer necessary in relation to the purpose for which it was originally collected
o When an individual withdraws consent
o When an individual objects to the processing and there is no overriding legitimate interest for continuing the processing
o Personal data was unlawfully processed

• An individual has a right to restrict processing – where processing is restricted, TAP is permitted to store the personal data but not further process it. TAP can retain just enough information about the individual to ensure that the restriction is respected in the future.

• An individual has a ‘right to be forgotten’.
TAP will not undertake direct telephone marketing activities under any circumstances.

Data Subjects can ask, in writing to Trustees, to see all personal data held on them, including e-mails and computer or paper files. The Data Processor (TAP) must comply with such requests within 30 days of receipt of the written request.

Powers of the Information Commissioner

The following are criminal offences, which could give rise to a fine and/or prison sentence

• The unlawful obtaining of personal data.
• The unlawful selling of personal data.
• The unlawful disclosure of personal data to unauthorised persons.

Further Information

Further information is available at www.informationcommissioner.gov.uk

Details of the Information Commissioner

The Information Commissioner’s office is at:

Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

Switchboard: 01625 545 700
Email: mail@ico.gsi.gov.uk
Data Protection Help Line: 01625 545 745
Notification Line: 01625 545 740

 

 

Document Version Number: 1
Approved by Board of Trustees on: TBC

 

Review Schedule: Every two years
Next review due: TBC

If you wish to download our GDPR & Data Protection Policy please click here.